yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands

profile photo of returntocorpreturntocorp
Author
39
Download Count*
LGPL Commons Clause
License

The environment variable ACTIONS_ALLOW_UNSECURE_COMMANDS grants this workflow permissions to use the set-env and add-path commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use ACTIONS_ALLOW_UNSECURE_COMMANDS. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: allowed-unsecure-commands
    languages:
      - yaml
    severity: WARNING
    message: The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this
      workflow permissions to use the `set-env` and `add-path` commands. There
      is a vulnerability in these commands that could result in environment
      variables being modified by an attacker. Depending on the use of the
      environment variable, this could enable an attacker to, at worst, modify
      the system path to run a different command than intended, resulting in
      arbitrary code execution. This could result in stolen code or secrets.
      Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment
      Files. See
      https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files
      for more information.
    metadata:
      cwe:
        - "CWE-749: Exposed Dangerous Method or Function"
      owasp: A06:2017 - Security Misconfiguration
      references:
        - https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
        - https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w
        - https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files
      category: security
      technology:
        - github-actions
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    patterns:
      - pattern-either:
          - patterns:
              - pattern-inside: "{env: ...}"
              - pattern: "ACTIONS_ALLOW_UNSECURE_COMMANDS: true"

Examples

allowed-unsecure-commands.test.yaml

on: pull_request

name: command-processing-test
jobs:
  dangerous-job:
    name: example
    runs-on: ubuntu-latest
    steps:
      - name: dont-do-this
        env:
          # ruleid: allowed-unsecure-commands
          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
        run: |
          echo "don't do this"
  another-dangerous-job:
    name: example2
    runs-on: ubuntu-latest
    env:
      # ruleid: allowed-unsecure-commands
      ACTIONS_ALLOW_UNSECURE_COMMANDS: true
    steps:
      - name: or-this
        run: |
          echo "seriously, dont"
  this-is-ok:
    name: example3
    runs-on: ubuntu-latest
    env: PREFIX = "~~^_^~~"
    run: |
      echo "$PREFIX hello"